Tuesday, July 8, 2014

General Useful Palo Alto Networks Firewall (PAN-OS) CLI Commands

General system health

show system info –provides the system’s management IP, serial number and code versionshow system statistics – shows the real time throughput on the deviceshow system software status – shows whether various system processes are runningshow jobs processed – used to see when commits, downloads, upgrades, etc. are completedshow system disk--space-- show percent usage of disk partitionsshow system logdb--quota – shows the maximum log file sizesdebug dataplane internal vif link – show management interface (eth0) counters

If you find this tutorial useful, please consider making a donation to support future work like this:

Thank you :)

Monitor CPUs

show system resources -- shows processes running in the management plane similar to “top” commandshow running resource--monitor – used to see the resource utilization in the data plane, such as dataplane CPU utilizationless mp--log mp--monitor.log – Every 15 minutes the system runs a script to monitor management plane resource usage, output is stored in this file.less dp--log dp--monitor.log -- Every 15 minutes the system runs a script to monitor dataplane resource usage, output is stored in this file.

General dropped packet troubleshooting

ping source host -- allows to ping from the specified FW source interfaceping host -- ping from the MGT interfaceshow session all | match – used to show specific sessions in the session table. You canenter any text after the word match. A good example would be a source or destination IP or an applicationshow session all | filter destination dest--port -- shows all sessions going to a particular dest IP and portshow session id – shows the specifics behind a particular session by entering the ID number after the word "id”show counter interface – shows interface countersshow counter global | match drop – used to troubleshoot dropped packetsshow counter global delta yes | match [ drop | error | frag ] – show counter changessince last time ran this command, filter on particular keyword

NAT

show running nat--policy-- shows current NAT policy table
show running ippool-- use to see if NAT pool leak
test nat--policy--match – simulate traffic going through the device, what NAT policy will it match?

Routing

show routing route – displays the routing tabletest routing fib--lookup virtual--router ip -- finds which route in the routing table will be used to reach the IP address that you are testing

Policies

show running security--policy – shows the current policy settest security--policy--match from trust to untrust destination -- simulate a packet going through the system, which policy will it match

PAN Agent

show user pan--agent statistics – used to see if the agent is connected and operational. Status should be connected OK and you should see numbers under users, groups and IPs.show pan--agent user--IDs -- used to see if the FW has pulled groups from the PANAgentshow user ip--user--mapping – used to see IP to username mappings on the FWclear user--cache all – clears the user--ID cachedebug device--server reset pan--agent -- reset the firewall’s connection to the specified agent

URL

test url – used to test the categorization of a URL on the FWtail follow yes mp--log pan_bc_download.log – shows the BrightCloud database update logsrequest url--filtering download status – shows the status of the database download (essentially the very last line from the pan_bc_download.log file)debug dataplane show url--cache statistics– shows statistics on the URL cacheshow counter global | match url – shows statistics on URL processingclear url--cache – used to clear the URL cache-- cache contains 100k of the most popular URLs on this networkshow log url direction equal backward-- view the URL log, most recent entries first

To test connectivity to the BrightCloud servers:

ping host service.brightcloud.com ping host database.brightcloud.com

Log viewing / deleting:

show log [ system | traffic | threat ] direction equal backward – will take you to the end of the specified logshow log [ system | traffic | threat ] direction equal forward – will take you to beginning of the specified logclear log [ traffic | threat | acc ] – clear everything in the specified log

tftp import content from file request content upgrade install file request content downgrade install previous –downgrade to the previous content versionrequest system private--data--reset-- to clear config and logs/reportsdebug swm [ status | list | revert ] – will show possible code to install, or code that was installed. “revert” is used to revert to last running OS version without having to do afactory reset (such as from 4.0 to back to 3.1)request license info – shows the license installed on the devicedelete license key ? – use to delete a license file if having issues and want to retrieve new licenses, use question mark to list file names, only delete the files you see fit

Config diff/force/cli format

show config diff-- compares two versions of the configcommit force-- perform a commit, even if there are errorsset cli config--output--format set-- use to view the config in “set” format from within the configure prompt (#)

set deviceconfig setting session tcp--reject--non--syn no – used to ignore SYN when creating sessions; confirm command took effect with show session infoset deviceconfig setting session offload no –-- makes all packets go through CPU, otherwise all fastpath packets just go through EZ chip (turns off session offload to fastpath); confirm command took effect with show session infodebug dataplane pool statistics -- this will show the different dataplane buffers and can e used to see if the system is nearing capacity in certain functionality.